unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#52690] Remove direct dependencies on the nss-certs certificate store
@ 2021-12-21  0:36 Leo Famulari
  2021-12-21  0:37 ` [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs Leo Famulari
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Leo Famulari @ 2021-12-21  0:36 UTC (permalink / raw)
  To: 52690

[-- Attachment #1: Type: text/plain, Size: 750 bytes --]

Three packages depend directly on nss-certs: ldns, pypy3, and icedtea6.

This is a problem because certificates expire. When that happens, the
features of these programs that use X.509 certificates will stop
working. Instead, packages should look up certificates at run-time in
unversioned and well-known locations such as /etc/ssl/certs or via
environment variables like $SSL_CERT_DIR.

I'll send a patch removing the dependency from ldns.

pypy3 does not build anyways because its runpath cannot be successfully
validated, but I will investigate anyways after disabling the runpath
validator.

Icedtea6 is a very complex package. I assume it depends on the
certificates directly for a good reason, but I would still appreciate
some feedback on it.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs.
  2021-12-21  0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
@ 2021-12-21  0:37 ` Leo Famulari
  2021-12-21  2:48 ` [bug#52690] [PATCH] gnu: pypy3: Prohibit references to nss-certs Leo Famulari
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-12-21  0:37 UTC (permalink / raw)
  To: 52690

If ldns depends on a particular version of nss-certs, the features that use the
certificates will eventually stop working as the certificates expire. Instead,
the certificates should be found at run-time.

* gnu/packages/dns.scm (ldns)[inputs]: Remove nss-certs.
[arguments]: Adjust the value of "--with-ca-path" in #:configure-flags.
---
 gnu/packages/dns.scm | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 5c5f95537b..269d312487 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -40,7 +40,6 @@ (define-module (gnu packages dns)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
-  #:use-module (gnu packages certs)
   #:use-module (gnu packages check)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages databases)
@@ -178,9 +177,7 @@ (define-public ldns
         ;; "--with-p5-dns-ldns"
         (string-append "--with-ssl="
                        (assoc-ref %build-inputs "openssl"))
-        (string-append "--with-ca-path="
-                       (assoc-ref %build-inputs "nss-certs")
-                       "/etc/ssl/certs"))
+        (string-append "--with-ca-path=/etc/ssl/certs"))
        #:make-flags
        (list
         (string-append "drillbindir="
@@ -210,7 +207,7 @@ (define-public ldns
        ("python" ,python-wrapper)
        ("swig" ,swig)))
     (inputs
-     (list libpcap nss-certs openssl))
+     (list libpcap openssl))
     (synopsis "DNS library that facilitates DNS tool programming")
     (description "LDNS aims to simplify DNS programming, it supports recent
 RFCs like the DNSSEC documents, and allows developers to easily create
-- 
2.34.0





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [bug#52690] [PATCH] gnu: pypy3: Prohibit references to nss-certs.
  2021-12-21  0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
  2021-12-21  0:37 ` [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs Leo Famulari
@ 2021-12-21  2:48 ` Leo Famulari
  2021-12-26 17:37 ` [bug#52690] Remove direct dependencies on the nss-certs certificate store Mathieu Othacehe
  2021-12-26 21:32 ` [bug#52690] [PATCH] gnu: IcedTea: Prohibit references to nss-certs Leo Famulari
  3 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-12-21  2:48 UTC (permalink / raw)
  To: 52690

Built packages should not refer to nss-certs, to prevent errant hard-coding of a
certificate store version.

* gnu/packages/python.scm (pypy3)[arguments]: Add nss-certs
to #:disallowed-references.
---
 gnu/packages/python.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index f0d2fd6eb8..23f188c6f9 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -780,6 +780,7 @@ (define-public pypy3
      `(#:tests? #f                     ;FIXME: 43 out of 364 tests are failing
        #:modules ((ice-9 ftw) (ice-9 match)
                   (guix build utils) (guix build gnu-build-system))
+       #:disallowed-references (,nss-certs)
        #:phases (modify-phases %standard-phases
                   (delete 'configure)
                   (add-after 'unpack 'patch-source
-- 
2.34.0





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [bug#52690] Remove direct dependencies on the nss-certs certificate store
  2021-12-21  0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
  2021-12-21  0:37 ` [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs Leo Famulari
  2021-12-21  2:48 ` [bug#52690] [PATCH] gnu: pypy3: Prohibit references to nss-certs Leo Famulari
@ 2021-12-26 17:37 ` Mathieu Othacehe
  2021-12-26 20:55   ` Leo Famulari
  2021-12-26 21:32 ` [bug#52690] [PATCH] gnu: IcedTea: Prohibit references to nss-certs Leo Famulari
  3 siblings, 1 reply; 6+ messages in thread
From: Mathieu Othacehe @ 2021-12-26 17:37 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 52690


Hello Leo,

> I'll send a patch removing the dependency from ldns.
>
> pypy3 does not build anyways because its runpath cannot be successfully
> validated, but I will investigate anyways after disabling the runpath
> validator.

The ldns and pypy3 patches make sense to me.

Thanks,

Mathieu




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#52690] Remove direct dependencies on the nss-certs certificate store
  2021-12-26 17:37 ` [bug#52690] Remove direct dependencies on the nss-certs certificate store Mathieu Othacehe
@ 2021-12-26 20:55   ` Leo Famulari
  0 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-12-26 20:55 UTC (permalink / raw)
  To: Mathieu Othacehe; +Cc: 52690

On Sun, Dec 26, 2021 at 06:37:52PM +0100, Mathieu Othacehe wrote:
> 
> Hello Leo,
> 
> > I'll send a patch removing the dependency from ldns.
> >
> > pypy3 does not build anyways because its runpath cannot be successfully
> > validated, but I will investigate anyways after disabling the runpath
> > validator.
> 
> The ldns and pypy3 patches make sense to me.

Thanks, pushed.




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#52690] [PATCH] gnu: IcedTea: Prohibit references to nss-certs.
  2021-12-21  0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
                   ` (2 preceding siblings ...)
  2021-12-26 17:37 ` [bug#52690] Remove direct dependencies on the nss-certs certificate store Mathieu Othacehe
@ 2021-12-26 21:32 ` Leo Famulari
  3 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-12-26 21:32 UTC (permalink / raw)
  To: 52690

I checked, and neither of these packages keep references to nss-certs.
So, although this change will cause rebuilds, it shouldn't cause any
functional changes.

However, my understanding is that the IcedTea packages actually copy the
NSS certificate store, so there wouldn't be a reference anyways, but we
would have the problem of "software that expires".

Built packages should not refer to nss-certs, to prevent errant hard-coding of a
certificate store version.

* gnu/packages/java.scm (icedtea-7, icedtea-8)[arguments]: Add nss-certs
to #:disallowed-references.
---
 gnu/packages/java.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 0a757b2391..91a16bb53d 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -812,6 +812,8 @@ (define-public icedtea-7
          ;; gremlin) doesn't support it yet, so skip this phase.
          #:validate-runpath? #f
 
+         #:disallowed-references (,nss-certs)
+
          #:modules ((guix build utils)
                     (guix build gnu-build-system)
                     (ice-9 match)
@@ -1376,7 +1378,8 @@ (define-public icedtea-8
           (guix build syscalls)
           ,@%gnu-build-system-modules)
 
-         #:disallowed-references ,(list (gexp-input icedtea-7 "jdk"))
+         #:disallowed-references ,(list (gexp-input icedtea-7 "jdk")
+                                         nss-certs)
 
          ,@(substitute-keyword-arguments (package-arguments icedtea-7)
              ((#:modules modules)
-- 
2.34.0





^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-12-26 22:43 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-21  0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
2021-12-21  0:37 ` [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs Leo Famulari
2021-12-21  2:48 ` [bug#52690] [PATCH] gnu: pypy3: Prohibit references to nss-certs Leo Famulari
2021-12-26 17:37 ` [bug#52690] Remove direct dependencies on the nss-certs certificate store Mathieu Othacehe
2021-12-26 20:55   ` Leo Famulari
2021-12-26 21:32 ` [bug#52690] [PATCH] gnu: IcedTea: Prohibit references to nss-certs Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).